EU Unveils Digital Omnibus, Delays AI Act Rules, Eases Data Access

The European Commission on Wednesday proposed a broad revision of the EU digital rulebook that would push back enforcement of several AI Act provisions and relax elements of the General Data Protection Regulation to allow broader use of data for artificial intelligence development. The draft package, dubbed the Digital Omnibus, also touches on the ePrivacy Directive, cookie and consent rules, and the Data Act.

Under the proposal, enforcement of certain high risk AI obligations originally scheduled to begin in August 2026 would be delayed to December 2027. The delay covers an array of uses that Brussels classifies as high risk, including biometric identification systems, automated screening of job applications, AI in health services, credit scoring, regulation of road traffic, and some law enforcement applications. The Commission framed the changes as "simplification, not deregulation," asserting the goal is to reduce overlap and cut red tape for businesses, in particular small and medium sized enterprises.

The draft would also streamline cookie and consent requirements to reduce pop up fatigue that regulators and companies say has eroded the meaningfulness of consent for online tracking. Perhaps most consequential for the technology industry, the package proposes revisions to GDPR rules to broaden lawful bases such as legitimate interest, allowing firms increased access to datasets for AI training. In certain cases that could include categories of sensitive data being used without explicit prior consent, according to the draft.

The Commission presented the package as an effort to align a fast evolving AI sector with existing rules, while giving developers more predictable access to the data needed to build advanced models. Officials argue the changes will encourage innovation and help European companies compete in an AI landscape dominated by large global players.

Civil society organizations, privacy advocates and some digital rights groups reacted with alarm, saying the omnibus risks undoing two decades of data protection gains. They warned that expanding lawful bases for data processing and postponing stringent AI safeguards will advantage large technology firms that already command vast troves of user data, while exposing individuals to new privacy and safety risks.

The proposal now enters the EU legislative process. Member states in the Council and the European Parliament will debate the measures and must agree before they can be formally adopted. Reuters reporting emphasized the political sensitivity of the package, noting both national capitals and MEPs hold divergent views on the balance between economic competitiveness and fundamental rights protections.

If adopted, the Digital Omnibus could reshape how AI systems are developed and regulated across the bloc, creating a longer runway for companies to comply with tougher AI rules while changing the legal calculus for data access. That outcome would set the tone for transatlantic and global discussions about the governance of powerful AI systems and the tradeoffs between innovation and privacy.